<?php

/**
 * 迅睿专用木马扫描、文件异常排查
 */

header('Content-Type: text/html; charset=utf-8');

$auto = 1;

#define('WEBPATH', '/www/wwwroot/');

if (strpos(dirname(__FILE__), 'public') !== false) {
    define('WEBPATH', dirname(dirname(__FILE__)).'/');
} else {
    define('WEBPATH', dirname(__FILE__).'/');
}
#
define('ROOTPATH', WEBPATH);
define('SELF', pathinfo(__FILE__, PATHINFO_BASENAME));
if (function_exists('ini_get')) {
    $pfile = ini_get('auto_prepend_file');
    if ($pfile) {
        echo '<font color="#ff7f50">php.ini中auto_prepend_file参数疑似可疑代码：'.$pfile.'</font><br>';
    }
    $afile = ini_get('auto_append_file');
    if ($afile) {
        echo '<font color="#ff7f50">php.ini中auto_append_file参数疑似可疑代码：'.$afile.'</font><br>';
    }
} else {
    echo '<font color="#ff7f50">ini_get不支持</font><br>';
}

$vcfg = [];
if (is_file(dirname(__FILE__).'/'.'dayrui/My/Config/Version.php')) {
    $vcfg = require dirname(__FILE__).'/'.'dayrui/My/Config/Version.php';
} elseif (is_file(dirname(dirname(__FILE__)).'/dayrui/My/Config/Version.php')) {
    $vcfg = require dirname(dirname(__FILE__)).'/dayrui/My/Config/Version.php';
}

if ($vcfg) {
    echo '当前CMS版本：V'.$vcfg['version'].'（'.$vcfg['downtime'].'）- '.$vcfg['name'].'（如果版本不是最新，请尽快升级到最新版本）<br>';
}

echo '检查开始: '.WEBPATH.'<hr>';
checkdir(ROOTPATH);
echo '<hr>检查完毕（'.$auto.'），以上红色提示的文件需要手动观察里面的文件源码是否可疑。';
echo '<br>如果自己不会分析可疑代码，请联系官方专业人员帮你排查，全民免费排查木马：https://www.xunruicms.com/anquan/';

function checkdir($basedir){
    if ($dh = @opendir($basedir)) {
        while (($file = readdir($dh)) !== false) {
            if ($file != '.' && $file != '..'){
                $ext = trim(strtolower(strrchr($file, '.')), '.');
                if (!is_dir($basedir."/".$file)) {
                    if (in_array($ext, ['php']) and filesize($basedir."/".$file) < 1024*1024*3 and $file != SELF) {
                        $rt = checkBOM("$basedir/$file");
                        if ($rt) {
                            echo "C".date('Y-m-d H:i:s', filectime($basedir."/".$file))." -- M".date('Y-m-d H:i:s', filemtime($basedir."/".$file))." -- 文件：".str_replace(WEBPATH, '', $basedir."/".$file)." ".$rt." <br>";
                        }
                    }
                }else{
                    $dirname = $basedir."/".$file;
                    checkdir($dirname);
                }
            }
        }
        closedir($dh);
    }
}

function checkBOM ($filename) {
    global $auto;
    $contents = @file_get_contents($filename);
    $charset[1] = substr($contents, 0, 1);
    $charset[2] = substr($contents, 1, 1);
    $charset[3] = substr($contents, 2, 1);
    $auto++;

    $times = [
        //'2023-03-23 14:28:08',
    ];
    if ($times) {
        foreach ($times as $time) {
            if (date('Y-m-d H:i:s',filectime($filename)) != $time) {
                return ("<font color=red>时间可疑</font>");
            }
        }
    }

    foreach ([
                 'baidu',
                 'httpGet(',
                 'curl_init',
                 'set_time_limit(0)',
                 'error_reporting(0)',
                 'base64'
             ] as $t) {
        if (stripos($contents, $t)) {
            return ("<font color=red>可疑代码：".$t."</font>");
        }
    }
    return '';
}
